Disabling VXLAN Termination

It is possible, for security purposes, to disable VXLAN termination on certain ports that are not supposed to source VXLAN-encapsulated traffic.


This prevents any malicious host from generating VXLAN encapsulated packets that would normally be subject to (unwanted) VXLAN tunnel termination and subsequent forwarding. For example, the following command disables the termination on port 35:


CLI (network-admin@switch) > port-config-modify port 35 no-vxlan-termination


It can be re-enabled, if necessary, like so:


CLI (network-admin@switch) > port-config-modify port 35 vxlan-termination


The default settings are:


  • vNETs with vlan-type private rely on the VXLAN functionality to implement their private characteristics. Therefore, when a port is configured to be a managed port with vlan-type private, VXLAN termination is disabled by default.


  • Underlay ports have VXLAN termination on by default and can use the port-config-modify command to disable VXLAN termination as deemed to enforce port level security.


north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south